Jasper Nuyens (Jasper Nuyens), the founder of Linux Belgium, has proposed a solution to reduce the attack surface of the Linux kernel in light of an increase in dangerous vulnerabilities being discovered using AI. He created an add-on for using Linux in Tesla’s vehicle information system and suggested a way to decrease the likelihood of compromise.
With many vulnerabilities found in specific kernel modules that are available for startup but not commonly used, Jasper recommended blocking modules that are unused on the current system by default. There are thousands of modules in the kernel, but only a fraction are typically used, leaving the rest vulnerable to exploitation. This solution is implemented through the script ModuleJail, which automatically places unused modules in a blacklist after determining the list of modules used in the system.
The script, distributed under the GPLv3 license, supports various Linux distributions and generates a file /etc/modprobe.d/modulejail-blacklist.conf to disable autoloading of kernel modules. This proactive approach enhances system security without requiring additional specialized modules or background monitoring processes.
Users can whitelist potentially necessary modules not currently loaded and choose from pre-defined profiles such as “minimal”, “conservative”, and “desktop” to include essential modules for different system applications. The script is compatible with Debian, Ubuntu, RHEL, Fedora, SUSE, and other distributions, offering a straightforward method to protect against vulnerabilities.